Main Categories
- +Signs, Symbols and Product Specifications (10)
- +Information management (10)
- +Business (3)
- +Services (1)
- +Measurement and Science (11)
- +Healthcare (32)
- +Environment (5)
- +Health and Safety (12)
- +Engineering (61)
- +ICT (24)
- +Manufacturing (50)
- +Agriculture and Food (7)
- +Construction (18)
- +Commercial and Consumer Goods (43)
- General (14)
The present document specifies the Service Information (SI) data which forms a part of Digital Video Broadcasting
(DVB) bitstreams, in order that the user can be provided with information to assist in selection of services and/or events
within the bitstream, and so that the Integrated Receiver Decoder (IRD) can automatically configure itself for the
selected service. SI data for automatic configuration is mostly specified within ISO/IEC 13818-1 [1] as Program
Specific Information (PSI).
The present document specifies additional data which complements the PSI by providing data to aid automatic tuning of
IRDs, and additional information intended for display to the user. The manner of presentation of the information is not
specified in the present document, and IRD manufacturers have freedom to choose appropriate presentation methods.
It is expected that Electronic Programme Guide (EPG) will be a feature of Digital TeleVision (TV) transmissions.
The definition of an EPG is outside the scope of the present document (i.e. the SI specification), but the data contained
within the SI specified in the present document may be used as the basis for an EPG.
Rules of operation for the implementation of the present document are specified in ETSI TS 101 211 [i.1].
The present document specifies technical cybersecurity product requirements and corresponding assessment criteria for
boot managers. The products with digital elements in scope, there after "the products":
• are specified within the technical description of the category of product number 8 by the Commission
Implementing Regulation (EU) 2025/2392 [i.2] as: -
"Software products with digital elements that manage the process of initial system startup after power
on/restart by initialising hardware, loading or transferring control to the operating system environment or
system resources, and selecting boot options. This category includes but is not limited to UEFI firmware,
single-stage and multi-stage boot loaders."
• are only covered within the product context described in clause 4.
The scope covers software and firmware components that manage the boot process from power-on through
establishment of the chain of trust to handoff to the boot target. Products in scope include boot management software
and firmware regardless of distribution model or integration level. These are:
• System firmware that performs hardware initialisation and boot management.
• Bootloaders that manage boot target selection, verification, and loading.
• Embedded boot firmware in IoT and embedded devices.
• Network boot implementations enabling remote boot capabilities.
• Boot managers that integrate with hardware security components for chain of trust establishment.
NOTE 1: Boot managers may be single-stage (direct loading) or multi-stage (staged verification).
NOTE 2: For microcontrollers (MCUs) and microprocessors (MPUs):
• Silicon-integrated immutable firmware: Mask ROM, fused code, or boot firmware integrated during chip
manufacturing is assessed as part of MCU/MPU hardware under semiconductor standards.
• Updateable boot managers: Boot software in flash storage (including OTP programmed post-manufacture) is
assessed using the present document when distinctly identifiable or independently updatable.
NOTE 3: Runtime services executing after boot target handoff (such as secure monitor mode handlers or attestation
services) are in scope only if they provide verification or attestation services to the boot process itself, not
to the boot target.
The present document covers those products to demonstrate compliance with essential cybersecurity requirements in the
Regulation (EU) 2024/2847 [i.1], Annex I Part I under the conditions identified in Annex A.
The present document specifies technical requirements and corresponding assessment criteria for Virtualisation
Execution Stack (VES) and Container Execution Stack (CES) products, including hypervisors and container runtime
systems, related to cybersecurity. The products with digital elements in scope, thereafter referred to as the "product":
• are specified within the "technical description" of the "category of product" in Class II, point 1 by the
Commission Implementing Regulation (EU) 2025/2392 [i.2] as:
"Hypervisors and container runtime systems that support virtualised execution of operating systems and
similar environments";
• are only covered within the product context described in clause 4.
The present document covers those products to demonstrate compliance with essential cybersecurity requirements in the
Regulation (EU) 2024/2847 [i.1], Annex I, Part I under the conditions identified in Annex A.
Commission Implementing Regulation (EU) 2025/2392 [i.2] identifies hypervisors and container runtime systems as
core components. However, actual market products typically include additional elements beyond the hypervisor kernel
or container runtime binary. These additional components provide essential management, orchestration, and operational
capabilities that are necessary for real-world deployment and are therefore included within the scope of the present
document.
The present document addresses the CRA Class II, point 1 product category within the following product contexts:
• Virtualisation Execution Stack (VES) for hypervisor-based environments; and
• Container Execution Stack (CES) for container-based environments.
The corresponding terms and definitions are provided in clause 3. The architectural decomposition, in-scope
components, and security-relevant environmental dependencies are specified in clause 4.
Accordingly, the present document defines security requirements not only for the core execution systems identified in
the CRA but also for the broader product context in which these systems are deployed, ensuring alignment with market
reality and comprehensive coverage of security risks. The Management and Orchestration (M&O) System, Container
Engine (CE), and Container Orchestrator (CO) are covered by the present document and are in scope only where they
are developed or provided by the manufacturer, or under the responsibility of the manufacturer, as part of the declared
product.
Any usage of AI agents is out of scope of the present document.
Where the product includes or depends on components that are outside the scope of the present document, the
applicable requirements are to be addressed through the relevant operational-environment provisions or other relevant harmonised standards, as identified in clause 4.3.